Using DigestSign/DigestVerify functions for better FIPS compatibility
Resolves: RHEL-5217
This commit is contained in:
parent
c06e3e9d62
commit
6242770aa2
@ -471,12 +471,60 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
|
||||
|
||||
#include "xmss_fast.h"
|
||||
|
||||
@@ -392,13 +394,14 @@ sshkey_calculate_signature(EVP_PKEY *pkey
|
||||
{
|
||||
EVP_MD_CTX *ctx = NULL;
|
||||
u_char *sig = NULL;
|
||||
- int ret, slen, len;
|
||||
+ int ret, slen;
|
||||
+ size_t len;
|
||||
|
||||
if (sigp == NULL || lenp == NULL) {
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
- slen = EVP_PKEY_size(pkey);
|
||||
+ slen = EVP_PKEY_get_size(pkey);
|
||||
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey
|
||||
ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto error;
|
||||
}
|
||||
- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||
- EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
||||
- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
||||
+ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
||||
+ NULL, pkey) != 1 ||
|
||||
+ EVP_DigestSignUpdate(ctx, data, datalen) != 1 ||
|
||||
+ EVP_DigestSignFinal(ctx, sig, &len) != 1) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto error;
|
||||
}
|
||||
@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey
|
||||
if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
}
|
||||
- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||
- EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
||||
+ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
||||
+ NULL, pkey) != 1 ||
|
||||
+ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto done;
|
||||
}
|
||||
- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
||||
+ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen);
|
||||
switch (ret) {
|
||||
case 1:
|
||||
ret = 0;
|
||||
@@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
|
@ -824,6 +824,8 @@ getent passwd sshd >/dev/null || \
|
||||
Resolves: RHEL-11548
|
||||
- Avoid sshd_config 256K limit
|
||||
Resolves: RHEL-5279
|
||||
- Using DigestSign/DigestVerify functions for better FIPS compatibility
|
||||
Resolves: RHEL-5217
|
||||
|
||||
* Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
|
||||
- rebuilt
|
||||
|
Loading…
Reference in New Issue
Block a user